Blocking Your Users From the Web Is Tricky

My company has a long-standing policy of not allowing [employees to browse the Web], except for a few executives. I'm trying to change that policy, but I'm encountering a lot of resistance. Now we've discovered that some of our users are browsing the Web by using the proxy server settings in their browsers and going out on ports other than 80. On the one hand I need to find a way to stop this, and on the other hand I think it's a stupid policy in the first place.

Can you give any technical advice as well as advice on what other people in my situation are doing with outdated policies?

Ed Linger

Brooks: Well, neither answer here is all that easy. If you have that strict of an Internet usage policy, my guess is that you don't allow any Internet access at all from individual workstations; e-mail, I would think, goes through a main server. In that case you could block all Internet access from your clients at the firewall, while allowing your mail server (and other servers) through.

If for some reason you need clients to send e-mail directly or use POP3 or similar applications, you could explicitly open those ports. But if you're having trouble with users who are too clever, my guess is it won't be long before you see proxy servers running on port 25, or whatever other port you allow. It's a losing battle.

As for the policy, I don't know what to tell you. Corporate mandates can be hard to change. Maybe you can solve two problems at once by letting the problem users know that you're on to them and asking them to document (legitimate) needs that they have for the Web. If you can show the big bosses that people have to dodge policy to do their job, things may change. Or not. Of course a third possibility is that you might get fired. One of these three outcomes seems likely.

Lori: Wow, I use the Internet so much for my job that I can't imagine not having access to it. But I understand that not all jobs rely on information on the Internet. If users are breaking policy, you need to find out why as well as why your company has such a strict policy.

Are they trying to save money due to expensive lines, reduce bandwidth, or simply stop users from surfing for chat rooms or details for that vacation they're planning? Do these users need the Internet to do their jobs, such as Web conferencing with distant colleagues, ordering products and supplies, conducting research, and communicating with business partners?

I think a little research on their needs is required to revisit the policy. If users do need to use the Internet, then maybe the policy can be adjusted.

At the very least, maybe you can set up a kiosk for specific workstation usage in a central location. An occasional Internet surf on a central workstation is a nice employee perk.

We have a Unix machine setup with syslog daemon and Perl script to scan though log files for specific events and e-mail them to different people. We have been doing this for several Unix systems where logs are sent to this syslog server.

I would like to do this for several [Windows] NT servers as well. Is there a utility that can send NT event logs to a syslog server? This needs to happen as soon as a new event is logged on an NT machine. It should also be sent over to the syslog server. Is there any way to do this?

Moe Arif

Brooks: There are a number of tools that might be able to help you, but I'd like to plug an alternative. What you're doing sounds like a natural place for SNMP rather than syslog. A big part of SNMP's purpose in life is to proactively raise alerts when things go wrong. Coupled with a strong SNMP management package such as Open View or Optivity, you can effectively delegate those alerts to different staff members in a much more flexible manner than simple syslog and e-mail. You'll also gain a wealth of other benefits, including remote configuration, trending, and generally better peace of mind.

But if you're determined to go with syslog, Adiscon offers EventReporter, which does exactly what you're looking for. You can find more information at www.eventreporter.com/en.

(Brooks Talley is senior business and technology architect for InfoWorld.com.

Lori Mitchell is a senior analyst in the Test Center. Send your questions for them to testcenter_rx@infoworld.com.)

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.